Share Article

Funded By The Department of Homeland Security, SWAMP Delivers A High Performance Computing Platform That Hosts A Wide Variety of Open Source Testing Tools to Improve Software Assurance Practices Throughout the Industry

SWAMP Continuous Assurance Logo

SWAMP is a response to better protect this nation and improve the quality of software that powers our critical infrastructure, the Internet, and our daily lives said Kevin Greene of the Department of Homeland Security Science and Technology Directorate

“Software has become a core fabric to all aspects of our lives. It is integral in the operation of our home appliances, embedded devices, point of sale systems, unmanned aerial vehicles, and of course, our mobile devices; and we must not forget that software powers our critical infrastructure. The ubiquitous nature of software makes us all vulnerable and susceptible to potential attacks,” said Software Assurance Manager Kevin E. Greene of the Department of Homeland Security Science and Technology Directorate (DHS S&T). “DHS S&T recognizes the importance of software; the SWAMP is a response to better protect this nation and improve the quality of software that powers our critical infrastructure, the Internet, and our daily lives.”

“The mission of the SWAMP is to advance the state of the art of software assurance through an open and powerful facility. The continuous assurance framework that drives the design and implementation of the SWAMP enables the development of advanced software assurance technologies and lowers the barriers for adoption,” added Miron Livny, Chief Technology Officer of the Morgridge Institute and lead Principal Investigator of the SWAMP. “The new navigation capabilities are a step in our ongoing commitment to increase the cost effectiveness of software assurance technologies, to provide easier access to a diverse collection of software analysis technologies and offer support to integrated viewing of assessment results.”

The SWAMP is run by a team from four academic institutions with broad experience in software assurance, security, open source software development, national distributed facilities and identity management. Hosted at the Morgridge Institute for Research in Madison, the SWAMP is located at a state-of-the-art, secure facility and is offering 700 cores, 5 TB of RAM, and 100 TB of HDD through advanced networking capabilities to meet the continuous assurance needs of multiple software and tool development projects.

SWAMP opened its services to the community in February of 2014 offering five open source static analysis tools that analyze source code for possible security defects without having to execute the program. Used to improve the quality of complex software stacks, static analysis tools have been applied across medical, nuclear, and aviation markets.

After studying data from a wide variety of sources, such as the “CWE/SANS Top 25 Most Dangerous Software Errors” report, and collecting input from practitioners in the field, as well as building on the experience of the SWAMP team itself, the following initial collection of static analysis tools were selected:
•FindBugs: identifies Java program errors using Java bytecode rather than source code
•PMD: finds common programming flaws in Java, JavaScript, XML, and XSL applications
•Cppcheck: detects bugs usually missed by compilers in the C and C++ languages
•Clang Static Analyzer: finds bugs in C, C++, and Objective-C programs
•gcc: a compiler used to ensure C and C++ code is syntactically correct
•CheckStyle: evaluates a wide variety of programming style rules for Java
•error-prone: finds violations in Google’s best practice programming style

These static analysis tools review program code and search for application coding flaws, unintentional or intentional, that could give hackers access to critical company data or customer information. Each of them has been proven to be an effective SwA measure. The new interfaces make it easy for software developers to apply one or many of these tools to a single software package.

Furthermore, the SWAMP hosts almost 400 open source software packages to enable tool developers to add enhancements in both the precision and scope of their tools. SWAMP provides the first testing laboratory for tool developers by providing software packages from the National Institute for Standards and Technology (NIST) Juliet Test Suite. The Juliet Test Suite is a collection of over 81,000 synthetic C/C++ and Java public domain programs with known flaws. These known flaws are used to test the effectiveness of static analyzers and other software assurance tools. The Juliet Test Suite covers 181 different Common Weakness Enumerations (CWEs) and also includes similar, but non-flawed, code to test tool discrimination.

“Because the network perimeter has been successfully secured to a great degree, most malicious attacks are now directed at applications, making the need to assess software more critical than ever,” SWAMP Project Manager Patrick Beyer said. “SWAMP provides easy access to a powerful platform that lowers the cost and complexity barriers of software assurance. It allows today’s software developers and security professionals to increase the level of confidence that their software is free from vulnerabilities either intentionally or accidentally designed into the software during its lifecycle. Now, today’s professionals have an array of tools to help ensure their software functions in the intended manner.”

ABOUT THE SWAMP
The SWAMP, (SoftWare Assurance MarketPlace) is a Department of Homeland Security funded facility designed to reduce the cost and complexity challenges of software assurance testing. SWAMP consists of a no-cost security testing platform that offers high throughput computing services combined with a comprehensive array of software security testing tools. The SWAMP also includes a broad library of open source vulnerability code samples to help developers improve the quality of their static and dynamic testing tools. All SWAMP activities performed by users are kept completely confidential. A first in the industry, the SWAMP was funded to advance our nation’s cybersecurity, protect our critical infrastructure and improve the reliability of the open-source software used extensively throughout the software community. SWAMP is a joint project run by the Morgridge Institute for Research in Madison, Wisconsin; the University of Illinois-Champaign/Urbana; Indiana University; and the University of Wisconsin-Madison. For more information, please contact the SWAMP at http://www.continuousassurance.org.